[HowTo] Install Manjaro using UEFI, systemd-boot, LUKS and btrfs

Manjaro UEFI using systemd-boot, LUKS and btrfs

This document is the result of reading a guide linked by @TomZ in this topic How to install Arch on btrfs with systemd boot.

The following is my notes while reading and the changes I made to the subsequent installation to fit into a Manjaro system installation.

NOTE: Before you dive into btrfs - be sure to read the entire article - including the documentation linked at the end of this document.

Overview


  • UEFI using systemd-boot
  • LUKS encrypted root
  • btrfs with subvolumes
  • Sources is listed at the end of this document

You can boot from any Manjaro ISO - open a terminal - and follow this guide.

For a similar guide without LUKS read here

Assuming you know how to identify your disk devices and can replace the example device name /dev/sdy with the device for your system.

All commands written is assuming your are logged in as root. On Manjaro ISOs the root login is root:manjaro

General


Connect to your network and ensure your system clock is correct

# systemctl start systemd-timesyncd

Set a preferred mirror and branch then download databases

# pacman-mirrors -aU https://manjaro.moson.eu -Sunstable
# pacman -Syy

Partitioning and File System Creation


Partition

Clear the disk of any existing file systems using random pattern - as the partition will be encrypted this will disguise the partitions and data held on it. It will take some time to complete - hours if you are having a big storage device.

# dd if=/dev/urandom of=/dev/sdy status=progress bs=10M

Use cdisk to create the boot partition and the main partition which will be encrypted

# cfdisk /dev/sdy
  1. boot
    • 512M
    • EFI system partition type
  2. root
    • remaining space
    • default type Linux file system

Set up the encryption container

# cryptsetup luksFormat /dev/sdy2
Are you sure? YES
Enter passphrase (twice)
# cryptsetup open /dev/sdy2 luks

Format

Format to FAT32 for the boot and btrfs for the root

# mkfs.vfat -F32 /dev/sdy1
# mkfs.btrfs /dev/mapper/luks

The author of the original guide has some reasonable suggestions which also matches the defaults used by Manjaro Architect.

  • / subvolume
  • /home subvolume in case a root snapshot needs to be restored
  • /var changes often so also a separate subvolume.
  • noatime and nodiratime are used to prevent a write every time a file or directory is accessed (not great for a COW filesystem like btrfs).
  • zstd is used for compression because it's fast and provides compression similar to xz.
  • Don't use discard. Issue manual trim commands with fstrim or enable the fstrim.timer.

Subvolumes

# mount /dev/mapper/luks /mnt
# btrfs subvolume create /mnt/@
# btrfs subvolume create /mnt/@home
# btrfs subvolume create /mnt/@var
# umount /mnt
# mount -o subvol=@,ssd,compress=zstd,noatime,nodiratime /dev/mapper/luks /mnt
# mkdir /mnt/{boot,home,var}
# mount -o subvol=@home,ssd,compress=zstd,noatime,nodiratime /dev/mapper/luks /mnt/home
# mount -o subvol=@var,ssd,compress=zstd,noatime,nodiratime /dev/mapper/luks /mnt/var
# mount /dev/sdy1 /mnt/boot

Installation


Install base Manjaro

# basestrap /mnt base btrfs-progs sudo manjaro-zsh-config intel-ucode networkmanager linux54 nano vim systemd-boot-manager mkinitcpio

Generate fstab

Generate fstab and verify the content

# fstabgen -U /mnt >> /mnt/etc/fstab
# cat /mnt/etc/fstab

Configure system


Chroot

# manjaro-chroot /mnt /bin/zsh

Hostname

# echo manjaro > /etc/hostname

Edit /etc/hosts

# nano /etc/hosts
127.0.0.1   localhost
::1     localhost
127.0.1.1   manjaro.localdomain   manjaro

Shell

# chsh -s /bin/zsh

Timezone

Example for Denmark

# ln -sf /usr/share/zoneinfo/Europe/Copenhagen /etc/localtime
# hwclock --systohc

Network Manager

Enable network connection

# systemctl enable NetworkManager

Enable ntp client

# systemctl enable systemd-timesyncd

Locale

Locale example for Danish locale

  • uncomment en_DK.UTF-8 and en_US.UTF-8

Save file and generate the messages

# nano /etc/locale.gen
# locale-gen

/etc/locale.conf

Locale.conf example for Denmark

# echo LANG=en_DK.UTF-8 > /etc/locale.conf

Root password

# passwd

/etc/mkinitcpio.conf

Add btrfs and encrypt and save

# nano /etc/mkinitcpio.conf
HOOKS="base udev btrfs encrypt autodetect modconf block filesystems keyboard fsck"
# mkinitcpio -p linux54

systemd-boot

Install the boot loader

# bootctl --path=/boot install

Create Manjaro loaders

# sdboot-manage gen

Navigate to /boot/loader/entries and check the configurations sdboot-manage has created (there will be two)

Default
title Manjaro Linux 5.4
linux /vmlinuz-5.4-x86_64
initrd /intel-ucode.img
initrd /initramfs-5.4-x86_64.img
options root=UUID=289ae676-7cbc-43a7-b4b7-e9cf325227c9 rw rootflags=subvol=/@ cryptdevice=UUID=9d336c58-0e8f-434d-b12a-b75663c4ad59
Fallback
title Manjaro Linux 5.4
linux /vmlinuz-5.4-x86_64
initrd /intel-ucode.img
initrd /initramfs-5.4-x86_64-fallback.img
options root=UUID=289ae676-7cbc-43a7-b4b7-e9cf325227c9 rw rootflags=subvol=/@ cryptdevice=UUID=9d336c58-0e8f-434d-b12a-b75663c4ad59:luks

Base config done

# exit
# umount -R /mnt
# reboot

Customizing


You should have a fully functioning Manjaro system. What comes next is your personal preferences. The example is a very basic vanilla Gnome desktop.

Gnome desktop

# pacman -Syu xorg-server xorg-server-common xorg-xinit xorg-drivers accountsservice gnome-keyring gnome-session gnome-shell gnome-desktop gnome-terminal gdm

Add a user and set password

# useradd -mUG lp,network,power,sys,wheel -s /bin/zsh newuser
# passwd newuser

Admin user

Add user to wheel group

# visudo
Uncomment and save
%wheel ALL=(ALL) ALL

Enable displaymanager

# systemctl enable gdm

Reboot

# reboot

Trouble shooting


If something went wrong and you need to get back in from the live image:

# cryptsetup open /dev/sdy2 luks
# mount -o subvol=@,ssd /dev/mapper/luks /mnt
# mount -o subvol=@home,ssd /dev/mapper/luks /mnt/home
# mount -o subvol=@var,ssd /dev/mapper/luks /mnt/var
# mount /dev/sdy1 /mnt/boot
# manjaro-chroot /mnt /bin/zsh

drive preparation resource

btrfs resources


Credits


Credits in original source

6 Likes

@anon23612428 @eugen-b

I have noticed your experience with btrfs - if you have any improvements with relation to btrfs - I will appreciate your input or direct improvements.

Unfortunately I have zero experience with systemd-boot and full disk encryption with btrfs.
Your "archy" advice sounds good to me though.

I'd rather not kill my ssd, I'd rather use Manjaro KDE and open KDE Partition Manager to get rid of stuff on the drive (e.g. lvm) and then lsblk and sudo wipefs --all /dev/sdx

You can use what method you prefer. And you are not killing your SSD.

If you choose to just use disk as is there will be readable data on it - and this defeats the purpose of encryption.

Filling the disk with zeroes - will give away any encrypted partitions on the device.

When encrypting a system think of all possibilities of doing data recovery - think like a thief - as a matter of speech.

Filling the device with random bytes - then creating your encrypted partitions - will make it very hard to distinguish encrypted data from gibberish.

Forum kindly sponsored by